SecOps in the era of rapidly emerging cloud-native technology has no shortage of problems, but a recent high-profile attack executed using an IT monitoring vendor's software opens a relatively unexplored aspect of cybersecurity to fresh scrutiny, experts say.
Orion IT monitoring and management software by SolarWinds is at the center of a massive cyberattack by a nation-state -- widely believed to be Russia -- that was uncovered over the last week. The attack, which began in early 2020, targeted multiple U.S. government agencies, including the Departments of the Treasury and Commerce and the National Telecommunications and Information Administration, according to a Reuters report.
Attackers inserted malicious code into an Orion software update that was signed by SolarWinds, and users of the software unwittingly downloaded it as part of routine maintenance. That file then exfiltrated data to attackers and gave them command and control over users' systems.
It's not yet known how many organizations the breach affected, but a now-deleted page on SolarWinds' website had claimed as customers more than 425 U.S. Fortune 500 companies, all branches of the U.S. military, and government agencies including the Pentagon, State Department and the Executive Office of the President.
SecOps experts are reeling from the sophistication of the attack and its implications for an already-struggling enterprise security industry that's also contending with unprecedented demands as a result of COVID-19.
"This attack was very sophisticated and hard to identify," said William Dougherty, chief information security officer at Omada Health, a San Francisco-based healthcare provider. "To find it, the typical infosec team would either need to monitor all outbound connections from all on-premises vendor tools and do a deep inspection of the traffic, or simply block all outbound connections from these tools, except for specifically defined IPs at specific times. It's really hard."
Dougherty's company doesn't use SolarWinds products, but that's purely a coincidence, he said.
"I am not a current SolarWinds customer, but only by dumb luck," he said. "I've used that vendor at four different companies over the past 15 years and considered their products to be top-notch."
The Department of Defense (DoD) will neither confirm nor deny whether it fell victim to this recent attack, but one official said it has prompted the agency to reconsider its SecOps vendor requirements going forward.
"[Risk] findings we see from companies are insane," said Nicolas Chaillan, chief software officer at the U.S. Air Force, and co-lead for the DoD's Enterprise DevSecOps Initiative. "Scan containers from any of the big companies, [and] you will see the volume of findings."
Securing third-party software prompts questions with few answers
The SolarWinds attack exposed a major enterprise SecOps risk for which there are few reliable remedies yet. Emerging tools such as the open source in-toto can help enterprises secure their own software pipelines, and scanning tools such as ShiftLeft can reveal potential risks in third-party software. But there isn't a standard tool that SecOps pros can use to ensure security within third-party vendor products.
For now, it's up to the vendors themselves to make their software supply chains fully secure, and the only realistic recourse customers currently have is to put pressure on them to do so, Chaillan said.
"Some companies have 12 years of dependencies un-updated, including large orgs [and] publicly traded companies," Chaillan said, though he declined to name any. "If a company like SolarWinds is hacked and bad actor[s] embed malicious software into their pipeline and updating process, you can imagine how bad it can be with smaller startups."
The DoD has already begun to demand its software vendors fix those dependencies before it will make further purchases, Chaillan said.
Meanwhile, static code scans cover only a fraction of the potential attack surface exposed via software supply chains, Chaillan added, and many important questions in the wake of the SolarWinds attack remain unanswered.
"We will try [ShiftLeft] to look at purposeful malicious code like time bomb or [exfiltration] code," he said. "But if a [vendor's] scanner is compromised by a bad actor, they could purposely ignore findings -- that's why supply chain is going to be the next big deal."
Omada's Dougherty agreed that third-party software supply chain security presents a vexing problem that won't be easily addressed.
"It highlights the importance of managing third-party risk and being very selective with what you allow on your networks and servers," he said. "[It] will make customers more paranoid about automatic updates, which will lengthen patch windows and make other tools more expensive to operate and less secure."
"This one was really bad," Dougherty added. "I don't think there is an easy solution."
Chaillan echoed Dougherty's assessment.
"For one of the first times in my career I don't have an answer," he said. "This attack was the most sophisticated I've ever seen."